perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gerald Richter" <rich...@ecos.de>
Subject RE: Cross Site Scripting
Date Tue, 24 Jan 2006 18:44:32 GMT
Hi,

> 
> I know there is probably a simple answer - according to the 
> docs if I set EMBPERL_ESCMODE to 4, then it should fix any 
> cross site scripting.

No, 4 is wrong, the best is to use 7 (which is the default). 4 is only for
disableing the special meaning of \  and will do nothing on it's own.

You can see that it works at

http://www.perl-workshop.de/db/register.epl?lastname=%22%3E%3Cscript%3Ealert
('vorsichtfalle!')%3C/script%3E%3C%22

Gerald


> 
> However if I have a text field called guess, and pass the 
> following line 
> 
>  
> 
> ?guess=%22%3E%3Cscript%3Ealert('vorsichtfalle!')%3C/script%3E%3C%22
> 
>  
> 
> The alert will appear - how can I disable this behavior, but 
> keep the normal fdat form population ?
> 




 
** Virus checked by BB-5000 Mailfilter ** 


---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org


Mime
View raw message